From 5ab9e9c4916d018e057a4eb16467af652bb4e41d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Fri, 1 Nov 2024 10:33:35 +0100 Subject: [PATCH] Override the default TLS client certificate selectors to support using certificates that don't meet the default requirements for specific providers --- ...IddictClientWebIntegrationConfiguration.cs | 38 ++++++++++++++++++- ...penIddictClientWebIntegrationExtensions.cs | 3 ++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationConfiguration.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationConfiguration.cs index 85d5b74e5..b1bc3e0c9 100644 --- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationConfiguration.cs +++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationConfiguration.cs @@ -5,7 +5,10 @@ */ using System.ComponentModel; +using System.Security.Cryptography.X509Certificates; using Microsoft.Extensions.Options; +using OpenIddict.Client.SystemNetHttp; +using static OpenIddict.Client.WebIntegration.OpenIddictClientWebIntegrationConstants; namespace OpenIddict.Client.WebIntegration; @@ -14,7 +17,8 @@ namespace OpenIddict.Client.WebIntegration; /// [EditorBrowsable(EditorBrowsableState.Advanced)] public sealed partial class OpenIddictClientWebIntegrationConfiguration : IConfigureOptions, - IPostConfigureOptions + IPostConfigureOptions, + IPostConfigureOptions { /// public void Configure(OpenIddictClientOptions options) @@ -47,6 +51,38 @@ public void PostConfigure(string? name, OpenIddictClientOptions options) }); } + /// + public void PostConfigure(string? name, OpenIddictClientSystemNetHttpOptions options) + { + if (options is null) + { + throw new ArgumentNullException(nameof(options)); + } + + // Override the default/user-defined selectors to support attaching TLS client + // certificates that don't meet the requirements enforced by default by OpenIddict. + options.SelfSignedTlsClientAuthenticationCertificateSelector = CreateSelector(options.SelfSignedTlsClientAuthenticationCertificateSelector); + options.TlsClientAuthenticationCertificateSelector = CreateSelector(options.TlsClientAuthenticationCertificateSelector); + + static Func CreateSelector(Func selector) + => registration => + { + var certificate = registration.ProviderType switch + { + ProviderTypes.ProSantéConnect => registration.GetProSantéConnectSettings().SigningCertificate, + + _ => null + }; + + if (certificate is not null) + { + return certificate; + } + + return selector(registration); + }; + } + /// /// Amends the registration with the provider-specific configuration logic. /// diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationExtensions.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationExtensions.cs index 3b78e5d0e..1ad218023 100644 --- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationExtensions.cs +++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationExtensions.cs @@ -7,6 +7,7 @@ using Microsoft.Extensions.DependencyInjection.Extensions; using Microsoft.Extensions.Options; using OpenIddict.Client; +using OpenIddict.Client.SystemNetHttp; using OpenIddict.Client.WebIntegration; namespace Microsoft.Extensions.DependencyInjection; @@ -40,6 +41,8 @@ public static OpenIddictClientWebIntegrationBuilder UseWebProviders(this OpenIdd // Note: TryAddEnumerable() is used here to ensure the initializers are registered only once. builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton< IConfigureOptions, OpenIddictClientWebIntegrationConfiguration>()); + builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton< + IPostConfigureOptions, OpenIddictClientWebIntegrationConfiguration>()); // Note: the IPostConfigureOptions service responsible for populating // the client registrations MUST be registered before OpenIddictClientConfiguration to ensure